2018 Cyber Security Preparedness Report

The inaugural 2018 Summary Report into the Cyber Security Preparedness of the National and WA Wholesale Markets (The ‘Report’) was in response to recommendation 2.10 from the Finkel Review Report (Independent Review into the Future Security of the National Electricity Market - Blueprint for the Future - June 2017).

Recommendation 2.10 requires an annual report into the cyber security preparedness of the National Electricity Market, developed in consultation with the Australian Cyber Security Centre and the Secretary of the Commonwealth Department of the Environment and Energy and delivered to the Energy Security Board.

2.10.1 - An assessment of the cyber maturity of all energy market participants to understand where there are vulnerabilities.
Utilising the AESCSF, market participants across the National Electricity Market (NEM) and Western Australia Wholesale Electricity Market (WEM) were invited, for the first time, to self-assess the current state maturity of their cyber security capabilities.

AEMO and the Cyber Sector Industry Working Group (CSIWG) experienced a high level of interest and collaboration from market participants throughout this industry-wide initiative. As the completion of the self-assessment process was voluntary, and subject to a compressed time frame, the high proportion of respondents indicated a strong awareness of the importance of this subject across the sector.

145 CEOs representing entities that control 270 market participants were engaged by AEMO and the ACSC. Nominated cyber security contacts from those entities completed 67 self-assessments covering 150 market participants. 21 self-assessments were completed during workshops facilitated by AEMO for 17 high criticality and/or regionally important entities. This response rate delivered market coverage more than 85% for each sub-sector in the NEM and 75%+ in the WEM.

The self-assessments completed by respondents identified opportunities to improve cyber security maturity across the sector.

2.10.2 - A stocktake of current regulatory procedures to ensure they are sufficient to deal with any potential cyber incidents in the National Electricity Market.
AEMO has completed a stocktake and concluded that the current provisions in the national energy regulatory framework are inadequate to address cyber security risk to the National Electricity Market. Changes to the National Electricity Law are required to extend AEMO a clear statutory function to address cyber security risks to the National Electricity Market. Any changes should also apply to the Western Australian Market and to gas under the National Gas Law.

A program of work has now commenced to determine the appropriate next steps to respond to the stocktake.

2.10.3 - An assessment of the Australian Energy Market Operator’s cyber security capabilities and third-party testing.
As a high criticality market participant, AEMO undertook a facilitated self-assessment of its cyber security capability maturity against the AESCSF including how it manages third party testing.

The self-assessment noted that AEMO is an industry leader with respect to cyber security information sharing and collaboration, playing a pivotal role in establishing and driving sector-wide forums and initiatives.

AEMO’s self-assessment results were combined with those from the broader market participant population when responding to Finkel 2.10.1.

2.10.4 - An update from all energy market participants on how they undertake routine testing and assessment of cyber security awareness and detection, including requirements for employee training before accessing key systems.
The AESCSF self-assessments considered how market participants raise cyber security awareness across their workforce so they can detect and report potential cyber security incidents.

Next Steps

The development of the AESCSF has assisted in building collaboration and common purpose across the electricity sector in 2018 and self-assessment results have provided market participants clarity on key areas to focus and prioritise cyber security investment. This provides a strong foundation that will enable the uplift of cyber security maturity across the sector.

Having completed this initial step, a number of next steps have been identified that AEMO, energy sector participants and state and commonwealth partners will focus on during 2019 to continue to build on the momentum established by the framework.

Key activities include:

Establishment of a cyber security vision for the energy sector and defining strategic goals and focus areas;

Development of a roadmap of initiatives to collaboratively address sector-wide areas of lower maturity, for example, development of technical standards;

Enhancement to the AESCSF based on the evolving market, cyber security threat, technology and regulatory landscapes, including alignment with Distributed Energy Resource programs;